Is there any way of not allowing users to statically set an IP address on their machines?

We have a lot of servers with static IP addresses and also a DHCP server. I am afraid of allowing users to set a static IP address on their machines and they eventually get a server IP address by mistake.

I know we could create a rule on Active Directory blocking changes on network interfaces, or create logins without administrative rights, but all of those solutions can be bypassed. I want some server rule that only our network administrator has access to.

"I know we could create a rule on Active Directory blocking changes on network interfaces, or create logins without administrative rights, but all of that solutions can be bypassed." If your users can bypass AD/GP restrictions there's something wrong, and shouldn't your users be non-admin anyway?
–
samFeb 15 '12 at 12:52

6

In that case, why not explain to them that they shouldn't change their settings and should leave their network on DHCP? So many questions around here try to solve HR problems with technology.
–
samFeb 15 '12 at 13:11

1

I agree with sam. This is a people problem.
–
SirexFeb 15 '12 at 14:05

3

@RafaelColucci Then your problem isn't a technical one, it's a human one. If your users need admin then they need to be trusted. If you can't stop them being admins, change the environment so you can trust them. It's probably not even a trust issue, I'm sure the developers won't do things to harm the system deliberately. Teach them why they can and can't do things, if they want an IP, get them to email you and ask for one that's free.
–
samFeb 15 '12 at 15:24

1

@ChrisS But surely if untrusted users have full admin rights, regardless of how many technical solutions you put in place there will always be something they can do to bugger up something else. Is it not easier just to say "Hey, when you do x, y or z it breaks things, shoot me an email if you ever need to do anything like this and I'll show you how"?
–
samFeb 15 '12 at 15:51

3 Answers
3

Workaround: Put your users and your servers in separate subnets. A quick VLAN and router change should get it running. Then your users couldn't take a server's IP address, because they're on the "wrong" physical connection to be able to do so.

You could delegate only the "administrator" privileges these users need (create a new AD group and use group policy to (for example) let them install software, but not modify network settings). This is of course contingent on whatever they "need" admin rights for not being stupid and demanding that they be members of the Administrators group...

This solution also has the advantage of enforcing the Principle of Least Privilege - From what I can glean from your question and your comments this is something you should be working to apply throughout your organization as your developers seem to be running roughshod over sane policy and environment stability.

Changing network settings is today's problem. Tomorrow's problem will be something else a clueless user breaks by misusing their admin rights. As Sam pointed out in the comments you really need to deal with the underlying problem (untrusted users being given admin rights) in order to keep control of your environment.

Well, that should solve part of the problems i am having. But users could install a virtual machine and set it to static ip. But ill keep it in mind. Thanks for the answer!!!
–
Rafael ColucciFeb 15 '12 at 15:52

1

You could lock your switches to only allow authorized MAC addresses on authorized ports... (I've worked in places that do that, it sucks, but it also prevents "Well I just brought my laptop, plugged it in, and assigned it a static IP" problems.)
–
voretaq7♦Feb 15 '12 at 16:03

As Chris S. stated, it would definitely be worth putting your users and your servers in separate subnets. You could also put static IP network printers in that server subnet or in their own subnet. It's a little effort with a big reward in security, organization, and management.

Second, I apologize for bringing up the local administrator privileges again, but I believe that there is a solution that will work for you. The Microsoft Application Compatibility Toolkit is designed for this kind of issue, and brought some impressive improvements for Windows 7 clients. Have you tried it yet? In short, what it does is detect what permissions your application needs (whether it be admin rights or on restricted registry keys) and then create a "shim" to make the application work when run under a limited user account. When run as a limited user, them shim elevates the rights for that specific application and not the entire user session. This would then free you to remove those pesky administrative privileges and thus avoid your static/DHCP problem.